Testing firm finds increase in IPS security performance

Network intrusion prevention systems are showing marked security performance improvements, but some technologies are still getting failing grades, according to a new report issued by independent security testing firm, NSS Labs Inc.
Carlsbad, Calif.-based NSS Labs said the network security technology has improved on average since 2009 to a 62% effectiveness rate using default policy settings. But the performance or throughput has decreased over the last year with one vendor achieving just 3% of its claimed throughput. Several vendors also failed certain tests, leaving gaping holes in defenses.


"Generally the more signatures or rules you have, the better the security but the slower the performance," said Rick Moy, president of NSS Labs. "That has to be figured into our analysis of these solutions."


The company's Network Intrusion Prevention System (IPS) Comparative Group Test Report for the fourth quarter of 2010 found some vendor default policy settings as low as 31% effectiveness, with tuning remaining an important part of most systems. The company said two vendors failed anti-evasion testing, an improvement over 2009 when half the vendors tested failed to detect exploits that use obfuscation techniques to evade detection.

Many stand alone IPS devices are being saddled by the rise in client-side attacks -- when end users browse to a malicious website and are victims of drive-by attacks.


"What has changed is that client side attacks are much more difficult to detect versus the remote attacker coming in from the outside so it takes more resources in the devices," Moy said.


The company tested the network IPS technologies from Check Point, Cisco, Endace, Fortinet, IBM, Juniper, McAfee, NSFOCUS, Palo Alto Networks, Sourcefire and Stonesoft. The testing was conducted independently and not paid by any vendor, NSS Labs said. The products were pitted against more than 1,170 live, enterprise-class exploits. Products were tested using the vendor's default or "recommended" settings and then again as tuned by a vendor representative, NSS Labs said.


NSS Labs requested that the full results not be published. McAfee's M800 IPS device had the highest overall block rate using only default settings followed by CheckPoint's Power-1 appliance. Sourcefire 3D 4500 and CheckPoint's Power-1 appliances had the highest achievable block rates when adding tuning -- a process that is critical to improving system effectiveness, Moy said.


Tuning can be a significant issue for enterprises because certain policy rules can result in false positives and block valid traffic, Moy said. It can also be costly because a network security pro often has to address device tuning every month.


"This is not a set it and forget it device," Moy said. "In the IPS world when an update comes out you have to test it to make sure it doesn't stop some of your legitimate traffic from getting into your network; especially with custom applications."

More Here

Courtesy:http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1525971,00.html

What are Intrusion Detection Systems?

Intrusion Detection System (IDS) are a necessary part of any strategy for enterprise security. What are Intrusion Detection systems? CERIAS, The Center for Education and Research in Information Assurance and Security, defines it this way:


“The purpose of an intrusion detection system (or IDS) is to detect unauthorized access or misuse of a computer system. Intrusion detection systems are kind of like burglar alarms for computers. They sound alarms and sometimes even take corrective action when an intruder or abuser is detected. Many different intrusion detection systems have been developed but the detection schemes generally fall into one of two categories, anomaly detection or misuse detection. Anomaly detectors look for behavior that deviates from normal system use. Misuse detectors look for behavior that matches a known attack scenario. A great deal of time and effort has been invested in intrusion detection, and this list provides links to many sites that discuss some of these efforts”(http://www.cerias.purdue.edu/about/history/coast_resources/intrusion_detection/)

There is a sub-category of intrusion detection systems called network intrusion detection systems (NIDS). These systems monitors packets on the network wire and looks for suspicious activity. Network intrusion detection systems can monitor many computers at a time over a network, while other intrusion detection systems may monitor only one.
Who is breaking into your system?


One common misconception of software hackers is that it is usually people outside your network who break into your systems and cause mayhem. The reality, especially for corporate workers, is that insiders can and usually do cause the majority of security breaches. Insiders often impersonate people with more privileges then themselves to gain access to sensitive information.
How do intruders break into your system?


The simplest and easiest way to break in is to let someone have physical access to a system. Despite the best of efforts, it is often impossible to stop someone once they have physical access to a machine. Also, if someone has an account on a system already, at a low permission level, another way to break in is to use tricks of the trade to be granted higher-level privileges through holes in your system. Finally, there are many ways to gain access to systems even if one is working remotely. Remote intrusion techniques have become harder and more complex to fight.
How does one stop intrusions?


There are several Freeware/shareware Intrusion Detection Systems as well as commercial intrusion detection systems.


Open Source Intrusion Detection Systems


Below are a few of the open source intrusion detection systems:


AIDE (http://sourceforge.net/projects/aide) Self-described as “AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire. It does the same things as the semi-free Tripwire and more. There are other free replacements available so why build a new one? All the other replacements do not achieve the level of Tripwire. And I wanted a program that would exceed the limitations of Tripwire.”


File System Saint (http://sourceforge.net/projects/fss) – Self-described as, “File System Saint is a lightweight host-based intrusion detection system with primary focus on speed and ease of use.”


Snort (www.snort.org) Self-described as “Snort® is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.”
Commercial Intrusion Detection Systems

More Here

Courtesy:http://xtreme8.wordpress.com/2008/06/12/what-are-intrusion-detection-systems/

IPS: Next generation IDS

An IPS offers the ability to identify an intrusion, relevance, impact, direction and proper analysis of an event and then pass the appropriate information and commands to the firewalls, switches and other network devices to mitigate the event’s risk.
The key technical components of IPS include the marriage of global and local host controls, IDS, global and local security policy, risk management software and globally accessible consoles for managing IPS.


An IPS is the next security layer to be introduced that combines the protection of firewall with the monitoring ability of an IDS to protect our networ with the analysis necessary to make the proper decision on the fly.



IDS started the overall protection by first protecting host(HIDS), then network (NIDS). First and second generation IDS currently protects our network by identifying the threats. IDS provides real time alerts and reports. They cannot provide the necessary intelligence to notify all the network components downstream and upstream from the point of identification. This is where the IPS becomes the part of overall layered approach to security. IPS gathers all network information and make determination of the threat, then notify all other devices of those findings. Upstream providers can notify the downstream customers of possible attacks before or during the events as that malicious attempts arrives and vice versa.
Although IPS are actually the next generaton IDS, there will always be a need to keep those seperate technologies. Security devices must remain seperate to allow depth in overall protection; thus , firewall will need IDS and the network will need IPS. Each techology is bound to each other with the dependencies that will not disappear.


IPS has all the features of a good IDS, but can also stop malacious traffic from invading the enterprise. Unlike an IDS, an IPS sits inline with traffic flow on a network, actively shutting down attempted attacks as they are sent over the wire. It can stop the attack by terminating the network connection or user session originating the attack, by blocking access to traget from the user account, IP address or other attributes assocaited with that attacker, or by blocking all access to the targetted host, services, or application.

More Here

Courtesy:http://technocache.wordpress.com/2009/03/02/ips-next-generation-ids/